I.T.@Morrison & Foerster L.L.P.

Lawyers: Leave Your Laptop at the Office

Small and handy security tools help mobile lawyers travel without breaking their shoulders.

By Jo Haraf

NO MATTER how fast remote access connections evolve and how small notebooks shrink, traveling attorneys need to carry a notebook computer to access their firm's network.

And while notebooks are no longer bricks, the lightest still weigh in at about four pounds and manage to defy the laws of physics by gaining weight as you run for an airplane.

Fortunately, a happy convergence of three critical technologies now supports a convenient, light and secure way to access a firm network. This can allow users to leave their notebooks behind, yet still check in to the office via Internet cafes, borrowed computers, or at satellite offices. Our attorneys spend as much time on the road as they do in one of our offices. And we have a lot of offices!

Morrison & Foerster was established in 1856. We now have 17 locations and more than 1,000 lawyers. Seven are in California; six abroad; and the remaining four are located in Denver, New York, Washington, D.C., and Northern Virginia.

We have enjoyed a reputation as one of the most employee-friendly large firms in the country. We are the only law firm to make the Fortune magazine 1998 list of the "100 Best Companies to Work for in America."

We've won numerous awards for our pro bono work; our efforts to recruit and retain minority lawyers; and our support of women in the profession.

According to the most recent AmLaw Tech survey, MoFo is has the largest intellectual property practice of any general practice firm.

History Lesson

SecurID looks like the watch fob your grandfather hung off his pocket watch.

-Jo Haraf

Before we look at MoFo's remote access system, let's review a brief bit of history. The first piece of critical technology for remote access is the Internet.

In the early 1970s, the Department of Defense Advanced Research Projects Agency launched ARPANET, the parent of today's ubiquitous Internet.

Today, unless you're in a rowboat in the middle of the ocean, you can find an Internet access point within shouting distance. Even my local spa offers a high speed DSL link for patrons to enjoy while awaiting their next moment of Zen.

The second piece of our puzzle is the omnipresent Web browser. The Internet browser's easy of use and unbelievably rapid market adoption inspired everyone from garage hackers to Microsoft Corp. to develop applications to run in a graphical Web-based window.

A universal network and an easy-to-use, common application interface are a good start, but if you want to do something more than chat online about whether Elvis is really dead, you need security, our third component.

No one is going to risk their credit card number or client's data without the confidence that they can control who sees that information.

Secure connections over the Internet became generally available in the mid-'90s, when Netscape introduced SSL (secure sockets layer) protocol to manage message transmission.

Now we have all the pieces we need: the Internet, the browser, and security. All that's left is to invoke that security on demand. Enter RSA Security Inc.'s RSA SecurID.

It's Morrison & Foerster's traveling authentication tool of choice. Imagine a tiny tamper-resistant device, that is -- in size and appearance -- not unlike the keyless entry system available for most upscale cars.

RSA calls it a "key fob" and it looks like the watch fob your grandfather hung off his pocket watch. The similarity ends at size -- unless your grandfather's fob sported a small LCD screen that displayed a different six-digit code every 60 seconds.

The RSA SecurID key fob is one part of a two-factor "strong authentication" scheme:

Factor one: What you have: (the key fob).

Factor two: What you know: (a PIN).

Analogous to ATM

This is completely analogous to ATM access: You have a card and know your PIN. One without the other just won't work.

With that picture in mind, let's follow an attorney walking up to a PC or kiosk with Internet access. She enters a Web address, such as https://private.myfirm.com. Up pops a dialog box asking for three pieces of data:

Let's see what goes into a SecurID installation with a few lessons learned from MoFo's implementation, courtesy of Mark Potloff, our remote network analyst:

* Did you notice that there is an 's' i in https://private.myfirm.com? That's critical for reaching a Web site secured by SSL. Next time you're buying something on the Internet, take a look at the URLs. You'll see quite a few "s" enabled SSL s secured sites.

For more information on the details of SSL and digital certificate security visit RSA Security.

* Not all applications are SSL friendly. Microsoft's Outlook Web Access is, and it's a fine place to start.

* If users forget their PINs, they must coordinate new ones with their administrator. For a successful reset, you need both halves of the puzzle, the fob number and the PIN.

* Administration of SecurID accounts can be done from work or home. This supports responsive administration during evenings and weekends.

* Although this technology is well- suited for network access when on the road, it can be an incredible time-saving tool when traveling within your own firm.

Network log-ons can be time consuming when not in your home office. When I travel, I use a local Internet-only account to access the Internet in seconds.

Once on the Internet, my key fob and I are checking e-mail in a fraction of the time that it would take if I had used a traditional log-on.

* The SecurID system can authenticate via a radius server, which may allow you to eliminate many of your remote access passwords.

SecurID may become your sole authentication for RAS, virtual private networks, or whatever services you use for remote access.

If a traveling attorneys lose their fobs, they are not out of luck. A temporary "fixed" password can be assigned to their account to take the place of their SecurID's six-digit number.

This password can be set to expire the day the user returns from his or her trip.

Risk Management

Getting the technology to work is half the battle, but risk management and security policies are tricky too.

Here are some of the policies and procedures in place at MoFo:

* Fob orders are placed through an Intranet page with reminders of MoFo's secure access policies.

* Users are allowed to pick a PIN they can remember rather than being assigned one that they will most likely write down.

* If attorneys walk away from a MoFo RSA SecurID enabled session; they are automatically logged off in five minutes.

If they are reading a long e-mail or go to another Web site from their e-mail, they have five minutes to return before they have to log in again.

* Lost fobs are immediately disabled. But the lost fob is still listed under the user's account and can be enabled again if they find it.